10-13-2013 05:11 AM - edited 03-11-2019 07:51 PM
Hello,
can you please advice how to make a NAT object where I want map all traffic from one address a.b.c.d to address x.y.v.z exluding that traffic which is going to k.l.m.n.
It is like this BSD rule:
map xl3 from a.b.c.d/24 ! to k.l.m.n/13 -> x.y.v.z/32
Thank you.
Solved! Go to Solution.
10-13-2013 06:16 AM
Hi,
I have no idea about BSD rules myself. I guess it refers to an actual PC OS?
But if you have a Static NAT configured for a SINGLE host and want to avoid that Static NAT being applied when the host in question connects to a certain destination network/host (or even multiple different networks/hosts) then you would configure
Static NAT
object network STATIC
host
nat (xl1,xl2) static
NONAT / NAT0 / NAT Exempt
object network NONAT-DESTINATION
subnet
object network NONAT-SOURCE
host
nat (xl1,xl2) source static NONAT-SOURCE NONAT-SOURCE destination static NONAT-DESTINATION NONAT-DESTINATION
In the above configuration we first define Static NAT for IP address
We also have a requirement that the above Static NAT should not apply for this
Hope this made sense
- Jouni
10-13-2013 05:19 AM
Hi.
I am not sure I understand your question completely.
Are you saying that you simply want to map a certain host address to something else when it going to a certain destination address? If so you can naturally configure this with Manual NAT. This Manual NAT would only apply when traffic is coming from certain source address and going to certain destination address. All other traffic would have some other NAT rule applied.
You can't really exclude anything from a NAT configurations in the new ASA software levels (8.3 and above). You simply configure the NAT to be as specific as it can to apply to only the certain traffic you want.
The older software levels (8.2 and below) I think had some changes to exclude some traffic from a NAT rule but even then it had pretty limited options.
So I think we need a bit clarification on what the actual setup requirement is (atleast I do )
- Jouni
10-13-2013 05:29 AM
Jouni, thank you for quick reply.
It is that I´m new in this, and reading a manual is not helping me. I can do a simple rule like
object network obj_name
host a.b.c.d
nat (GE0/1,any) static x.y.v.z service tcp no1 no2
Which I simply understand that it is maping outgoing ip a.b.c.d to x.y.v.z
What I need is that firewall will look on packet and if it would go to destination ip k.l.m.n it won ´t translate address a.b.c.d to x.y.v.z
Or maybe I´m confused a lot :-)
-Marek
10-13-2013 05:42 AM
Hi,
Seems that your original NAT rule above is a Static PAT configuration.
Its also configured that this translation will apply to any destination interface. I personally tend to use only the required destination interface in the "nat" command so that it doesnt apply to traffic from other interfaces.
So to know that I am giving the right instructions I would need to know behind which interface are the destination networks to which your example NAT should apply to and behind which interface is the destination k.l.m.n address that this NAT should not apply to?
I am still a bit confused on the NAT configuration you have provided. Its a Static PAT configurations that is usually configured to enable connections incoming from the destination interface of the command and it usually doesnt apply to connections formed from the source host a.b.c.d (except when its replying to the connection coming from behind the other interface)
If you had said that you had this Static NAT configurations (that doesnt mention the service)
object network obj_name
host a.b.c.d
nat (GE0/1,any) static x.y.v.z
Then the example would have been clearer.
Just to give an example
I have a Static NAT configurations that binds a local address to public address
object network STATIC
host 10.10.10.10
nat (LAN,WAN) static 1.1.1.1
Now if the host 10.10.10.10 connects to any network behind interface "WAN" it will always have this NAT applied.
If we want to avoid this from happening and have some certain destination IP address to which we dont want to do any translation then we would configure
object network DESTINATION
host k.l.m.n
object network HOST
host 10.10.10.10
nat (LAN,WAN) source static HOST HOST destination DESTINATION DESTINATION
The above configure is most commonly used in situation where the host needs to be contacted from behind a VPN Client or L2L VPN Connection.
- Jouni
10-13-2013 06:04 AM
Hi Jouni,
so when I have this BSD rule:
map xl2 from 192.168.1.0/24 ! to 10.50.0.0/13 -> 90.162.12.2/32
where xli1 is LAN and xl2 is WAN
it should be like this?:
object netwok HOST
subnet 192.168.1.0 255.255.255.0
object netwok EXCLUDE
subnet 10.50.0.0 255.240.0.0
nat (xl1,xl2) source static HOST destination 90.162.12.2
nat (xl1,xl2) source static HOST HOST destination EXCLUDE EXCLUDE
???
Thanks,
Marek
10-13-2013 06:16 AM
Hi,
I have no idea about BSD rules myself. I guess it refers to an actual PC OS?
But if you have a Static NAT configured for a SINGLE host and want to avoid that Static NAT being applied when the host in question connects to a certain destination network/host (or even multiple different networks/hosts) then you would configure
Static NAT
object network STATIC
host
nat (xl1,xl2) static
NONAT / NAT0 / NAT Exempt
object network NONAT-DESTINATION
subnet
object network NONAT-SOURCE
host
nat (xl1,xl2) source static NONAT-SOURCE NONAT-SOURCE destination static NONAT-DESTINATION NONAT-DESTINATION
In the above configuration we first define Static NAT for IP address
We also have a requirement that the above Static NAT should not apply for this
Hope this made sense
- Jouni
10-13-2013 06:23 AM
Great, this means sense to me now.
Just one question that higher priority is because that Static NAT is made inside the object STATIC and the second rule is made outside any object?
Thank you very much, appreciate your help.
Marek
10-13-2013 06:31 AM
Hi,
Its a bit hard to explain
I did write a document here on the Cisco Support Community about this new NAT configuration format, even though it doesnt yet answer all the questions.
You can look at it here
https://supportforums.cisco.com/docs/DOC-31116
It explains the order of NAT configurations
But to explain the same thing here it would basically be this
There are essentially 2 type of NAT configurations in the new ASA software.
There are also 3 Sections of NAT configurations
Hope that made sense
Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.
Feel free to ask more if needed though
- Jouni
10-13-2013 06:52 AM
Amazing, now I understand it well and I can do some more difficult things.
I want to translate all udp and tcp traffic from 172.50.20.0/24 to 90.160.12.2 but to ports 20001-30000 is this correct after our discussion?
object netwok SOURCE
subnet 172.50.20.0 255.255.255.0
object service UDP_IN
service udp source any
object service UDP_OUT
service udp source range 20001 30000
object service TCP_IN
service tcp source any
object service TCP_OUT
service tcp source range 20001 30000
nat (inside, outside) source static SOURCE 90.160.12.2 service UDP_IN UDP_OUT
nat (inside, outside) source static SOURCE 90.160.12.2 service TCP_IN TCP_OUT
Thank you,
Marek
10-13-2013 07:05 AM
Hi,
I think again we have to clarify a bit what you want to actually do so I can give an accurate answer. If I understood you correctly you have used some other device to do NAT before Cisco firewalls so we might be talking about the same things but with a bit different terms/logic
Do you want to
OR Do you want to
OR something else perhaps?
- Jouni
10-13-2013 07:10 AM
Jouni,
the second one is what I actualy want to do.
Thank you,
Marek
10-13-2013 08:33 AM
Hi,
I think I have gotten this to work better with some configuration but couldnt find that post.
I would imagine this is not some configuration I would want to suggest to anyone without having doubts of its actual performance and reliability.
object service TCP-REAL-PORTS
service tcp source range 0 65535
object service TCP-MAPPED-PORTS
service tcp source range 20001 30000
object service UDP-REAL-PORTS
service udp source range 0 65535
object service UDP-MAPPED-PORTS
service udp source range 20001 30000
object netwok SOURCE
subnet 172.50.20.0 255.255.255.0
object network PUBLIC
host 90.160.12.2
nat (inside,outside) source static SOURCE PUBLIC service TCP-REAL-PORTS TCP-MAPPED-PORTS
nat (inside,outside) source static SOURCE PUBLIC service UDP-REAL-PORTS UDP-MAPPED-PORTS
When testing traffic from "inside" to "outside" with the "packet-tracer" command it seemed to operate the way you wanted but I am still not really convinced.
Will have to see if I can find the older thread/discussion where I made a similiar configuration.
- Jouni
10-13-2013 09:23 AM
Jouni,
seems like you purified what I wrote above, so I think it should work now with you right and legit commands.
Thank you again.
Marek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide